November 18, 2002 IETF #55, ATLANTA1 Problem with Compound Authentication Methods Jesse Walker Intel Corporation (

Slides:



Advertisements
Similar presentations
Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Advertisements

EAP AKA Jari Arkko, Ericsson Henry Haverinen, Nokia.
Doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE David Halasz, Stuart Norman, Glen.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
1 © NOKIA MitM.PPT (v0.2) / 6-Nov-02 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI.
Jesse Walker, keying requirements1 Suggested Keying Requirements Jesse Walker Intel Corporation
W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID
802.1x EAP Authentication Protocols
Protected Extensible Authentication Protocol
Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
IEEE Wireless Local Area Networks (WLAN’s).
Vulnerability Analysis of Mobile and Wireless Protocols.
WLAN security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents WEP (Wired Equivalent Privacy) No key management Authentication.
EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.
Michal Rapco 05, 2005 Security issues in Wireless LANs.
Doc.: IEEE /1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 1 Link Setup Flow Date: Authors: NameCompanyAddressPhone .
WIRELESS LAN SECURITY Using
Comparative studies on authentication and key exchange methods for wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:
Eugene Chang EMU WG, IETF 70
EAP WG EAP Key Management Framework Draft-ietf-eap-keying-03.txt Bernard Aboba Microsoft.
Securing your wireless LAN Paul DeBeasi VP Marketing
KAIS T Security architecture in a multi-hop mesh network Conference in France, Presented by JooBeom Yun.
Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)
WEP Protocol Weaknesses and Vulnerabilities
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
All Rights Reserved © Alcatel-Lucent 2007, ##### 1 | Presentation Title | January 2007 UMB Security Evolution Proposal Abstract: This contribution proposes.
EAP-based Mediating Network Selection Copyright © 2003, The Internet Society Farid Adrangi Intel Corporation ( ) ACKNOWLEDGEMENTS:
1 A VPN based approach to secure WLAN access John Floroiu
Lecture 24 Wireless Network Security
Doc.: IEEE /200 Submission September 2000 Ron Brockmann, Intersil Plug-n-Play Security in the Home & Small Business Ron Brockmann Intersil.
EAP-FAST Version 2 draft-zhou-emu-eap-fastv2-00.txt Hao Zhou Nancy Cam-Winget Joseph Salowey Stephen Hanna March 2011.
Wireless Security: The need for WPA and i By Abuzar Amini CS 265 Section 1.
March 17, 2003 IETF #56, SAN FRANCISCO1 Compound Authentication Binding Problem (EAP Binding Draft) Jose Puthenkulam Intel Corporation (
Emu wg, IETF 70 Steve Hanna, EAP-TTLS draft-funk-eap-ttls-v0-02.txt draft-hanna-eap-ttls-agility-00.txt emu wg, IETF 70 Steve Hanna,
Wireless Unification Theory William Arbaugh University of Maryland College Park.
N. Asokan, Kaisa Nyberg, Valtteri Niemi Nokia Research Center
RFC 2716bis Wednesday, July 12, 2006 Draft-simon-emu-rfc2716bis-02.txt Dan Simon Bernard Aboba IETF 66, Montreal, Canada.
SubmissionJoe Kwak, InterDigital1 Simplified 11k Security Joe Kwak InterDigital Communications Corporation doc: IEEE /552r0May 2004.
1 EAP-MAKE2: EAP method for Mutual Authentication and Key Establishment, v2 EMU BoF Michaela Vanderveen IETF 64 November 2005.
Nov 10, EAP-based Mediating Network Discovery and Selection Copyright © 2003, The Internet Society Farid Adrangi Intel Corporation (
1 Extensible Authentication Protocol (EAP) Working Group IETF-57.
Wireless Security - Encryption Joel Jaeggli For AIT Wireless and Security Workshop.
CSE 4905 WiFi Security II WPA2 (WiFi Protected Access 2)
History and Implementation of the IEEE 802 Security Architecture
Module 9: Configuring Network Access
RADEXT WG RADIUS Attributes for WLAN Draft-aboba-radext-wlan-00.txt
PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt)
OAuth WG Conference Call, 11th Jan. 2013
Carrying Location Objects in RADIUS
A Wireless LAN Security Protocol
editor: Stephen Farrell,
IETF-70 EAP Method Update (EMU)
802.1X and key interactions Tim Moore November 2001
The Tunneled Extensible Authentication Method (TEAM)
Originally by Yu Yang and Lilly Wang Modified by T. A. Yang
SECMECH BOF EAP Methods
CSE 4095 Transport Layer Security TLS
Extended Authentication Protocol (EAP) Vulnerabilities exploited through Rogue Access Points Stephen Cumella.
Secure Authentication System for Public WLAN Roaming
SECURING WIRELESS LANS WITH CERTIFICATE SERVICES
MAC Address Hijacking Problem
PEKM (Post-EAP Key Management Protocol)
Agenda retrospective - B. Aboba Lunch
802.1X/ Issues Nancy Cam-Winget, Cisco Systems
Link Setup Flow July 2011 Date: Authors: Name Company
Security Activities in IETF in support of Mobile IP
PAA-2-EP protocol PANA wg - IETF 58 Minneapolis
(draft-josefsson-pppext-eap-tls-eap-06.txt)
Link Setup Flow July 2011 Date: Authors: Name Company
Presentation transcript:

November 18, 2002 IETF #55, ATLANTA1 Problem with Compound Authentication Methods Jesse Walker Intel Corporation ( ACKNOWLEDGEMENTS: N.ASOKAN, KAISA NYBERG, VALTTERI NIEMI, HENRY HAVERINEN, NOKIA JOSE PUTHENKULAM, VICTOR LORTZ, FARID ADRANGI, INTEL CORPORATION BERNARD ABOBA, ASHWIN PALEKAR, DAN SIMON, MICROSOFT

November 18, 2002 IETF #55, ATLANTA2 Problem = Man-in-the-Middle Attacks Compound Methods = Tunneled or Sequenced Methods where there is no strong mutual authentication where the keys derived from mutual authentication are not the keys used for ciphering the link where tunnel termination is not on the real endpoints (client or server) where the authentication protocol derives no keys We focus mainly on tunneled EAP authentication methods

November 18, 2002 IETF #55, ATLANTA3 WLAN Man-in-the-Middle Attack Assumptions: – Rogue AP/Suppliant combo device acts as man-in-the middle – Real Supplicant/Server supports any unprotected EAP type without tunnel protocol Observations – WLAN Session stolen by the attack – EAP-TTLS, PEAP, PIC, PANA over TLS, XAUTH… all susceptible

November 18, 2002 IETF #55, ATLANTA4 EAP-TTLS Normal WLAN Authentication 802.1XRADIUS EAP Wireless Station EAP/Identity Request EAP/Identity Response Tunnel establishment EAP/Identity Request EAP/Identity Response (user EAP/ Request / Method Challenge EAP/Response/Method Response EAP/ Success EAP Method inside Tunnel SupplicantAuthenticator WLAN Session Tunnel Keys ClientAPAAA-H ServerTTLS Server Inner Method Keys Derived & Not Used Inner Method Keys Derived Tunnel Keys Derived

November 18, 2002 IETF #55, ATLANTA5 EAP-TTLS based WLAN session stealing EAP/Identity Request EAP/Identity Response Tunnel establishment EAP/Identity Request EAP/Identity Response (user EAP/ Request / Method Challenge EAP/Response/ Method Response EAP/ Success EAP-Method in Tunnel WLAN Session Stolen Tunnel Keys ClientMitM AAA-H Server TTLS Server AP Inner EAP Method Keys Derived & Not used Tunnel Keys Derived Inner Method Keys Derived

November 18, 2002 IETF #55, ATLANTA6 PEAP/EAP-AKA WLAN Session Stealing

November 18, 2002 IETF #55, ATLANTA7 Tunnels Problem Analysis One-way authenticated tunnel Even secure inner methods are vulnerable when composed incorrectly. Man-in-the-middle can trick client into believing it is a server Session keys derived from tunnel protocol only. Keys derived in inner EAP method (e.g., Method Keys) are not used. Client policy of not always using tunnels causes failure Any Client EAP method not cryptographically bound to Tunnel Session Keys potentially vulnerable All non-ciphered/non-protected links fully vulnerable

November 18, 2002 IETF #55, ATLANTA8 Solution Requirements Fixes to existing EAP methods not ok Fixes to new EAP methods maybe ok Fixes to Tunnel methods maybe ok Should work for different tunnel termination models Should not bring new requirements for other protocols (eg. RADIUS ) Forward Evolution for protocols with fix Backwards compatibility for fixed protocols Simplicity for fix (low compute costs & roundtrips) Upgraded EAP Base protocol maybe ok

November 18, 2002 IETF #55, ATLANTA9 EAP Methods classification Methods which support ciphering –Derive session keys –Do key distribution to Access points using RADIUS attributes –Eg. EAP-MSCHAPv2, EAP/SIM, EAP/AKA Methods which don’t support ciphering –Not protected –Eg. EAP-MD5 FIXABLE FIXABLE BY USAGE RESTRICTION

November 18, 2002 IETF #55, ATLANTA10 Solution Concept Compound MACs –MACs computed from safe one-way derivation from keys of all EAP methods Compound Keys –Bound Key derived using safe one-way derivation from keys of all EAP methods Additional strong mutual authentication round trip with acknowledged success message –Success Message with Client MAC –Success-Ack Message with Server MAC over Client MAC

November 18, 2002 IETF #55, ATLANTA11 Man-in-the-middle attack failure with solution EAP/Identity Request EAP/Identity Response TLS Session establishment EAP/Identity Request EAP/Identity Response (user EAP/ Request / Method Challenge EAP/Response/ Method Response EAP/ Success EAP-Method in TLS Protected Session No Keys Sent ClientMitM AAA-H Server TTLS Server AP Inner EAP Method KeysCompound MAC Success Compound MAC Failure Attack Detected No WLAN Access Crypto Binding Inner EAP Method Keys Tunnel Keys Derived

November 18, 2002 IETF #55, ATLANTA12 Why cryptographic binding? Methods that use a weak keys 1.MUST be used within a server authenticated tunnel, and 2.MUST NOT be used without tunnel to authenticate same client #2 drastically reduces use of legacy auth. protocols –MUST NOT be imposed on protocols that use strong keys Tunneling protocols (PEAP, POTLS etc.) address #1 –But they treat the inner protocol as a blackbox (any EAP type) Hence the need for optional binding of tunnel and EAP method This allows tunneling protocols to –generic: handle both weak and strong authentication methods –secure: avoid MitM attack –non-invasive: avoid imposing restrictions on strong methods

November 18, 2002 IETF #55, ATLANTA13 Recommendations to EAP WG Tunneled and Sequenced Protocols have evolved from NEED Problem needs to be fixed Best fix would be –in EAP base protocol, and –in tunneling protocols Recommend formation of design team to study proposed fixes and recommend solution for EAP base protocol

November 18, 2002 IETF #55, ATLANTA14 References Nokia Research Center – – Intel Corporation, Microsoft – eap-binding-00.txthttp:// eap-binding-00.txt

November 18, 2002 IETF #55, ATLANTA15 Backup

November 18, 2002 IETF #55, ATLANTA16 Tunneled Methods Generic Model Terminology Tunnel endpoint is authentication ”agent” Authentication protocol endpoint is authentication ”server” ”Front-end” authenticator is end of access link to be authenticated Agent and Server may be co-located ClientAuthenticationAgentAuthenticationServer Stage 1: Tunnel Method Server authenticated for secure tunnel establishment Stage 2: Client Authentication Method Performs Client/User Authentication secure tunnel Front-endauthenticator Ciphered Link Tunnel Keys

November 18, 2002 IETF #55, ATLANTA17 Sequenced Methods Generic Model ClientAuthentication Agent 1 Authentication Agent 2 Protocol Sequence 1 Client AND/OR Server Authentication Protocol Sequence 2 Client AND/OR Server Authentication Front-endauthenticatorAuthenticationServer Protocol Sequence N Client AND/OR Server Authentication …. … No Session Keys Open Link Terminology ”Front-end” authenticator is end of access link to be authenticated Intermediate endpoint in sequence is an authentication ”agent” Final authentication endpoint is authentication ”server” Agents and Server may be co-located.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.